Google has released important out-of-band security fixes for its widely used Chrome browser to address three security issues. One of these vulnerabilities is particularly severe and has already come under active exploitation by attackers in the wild. This high-severity flaw, tracked as CVE-2025-5419 with a CVSS score of 8.8, involves an out-of-bounds read and write weakness. It specifically resides within the V8 JavaScript and WebAssembly engine that is a core component of the Chrome browser. This type of vulnerability can potentially allow a remote attacker to exploit heap corruption by using a specially crafted HTML page.
The discovery and reporting of this critical zero-day vulnerability are credited to Clement Lecigne and Benoît Sevens.
These researchers are part of Google’s own Threat Analysis Group (TAG), and they identified the flaw on May 27, 2025. Google noted that it addressed this pressing issue swiftly, within just one day, by pushing out a configuration change. This change was applied to the Stable version of the Chrome browser across all supported platforms, including Windows, macOS, and Linux. As is typical in such security advisories, Google has provided limited details regarding the specific nature of the ongoing attacks. They also have not revealed the identity of the threat actors who are actively perpetrating these exploits currently.
This CVE-2025-5419 flaw marks the second actively exploited zero-day vulnerability in Chrome that Google has patched this year alone.
The first one, CVE-2025-2783, was identified by Kaspersky as being weaponized in attacks that specifically targeted organizations located in Russia. Users are now strongly recommended to upgrade their Chrome browser to version 137.0.7151.68/.69 for Windows and macOS. Linux users should upgrade to version 137.0.7151.68 to safeguard against these potential threats. Users of other Chromium-based browsers like Microsoft Edge and Brave are also advised to apply fixes as they become available from those vendors.
While Google Chrome typically updates automatically when new security patches are available, users can manually initiate and speed up the process. They can do this by navigating to the Chrome menu, then Help, and selecting “About Google Chrome” to check. Google has confirmed that an exploit for CVE-2025-5419 exists in the wild but will not share additional attack details. This is to ensure a majority of users can update their browsers first and to prevent wider exploitation by other malicious actors. This year has already seen Google patch three Chrome zero-day vulnerabilities, highlighting the ongoing efforts needed to maintain browser security against sophisticated attacks.
Reference:
